The Browser as a Cookie-Control Key

By JOHN SCHWARTZ

Published: September 5, 2001

To many privacy advocates, the most sensible place to offer privacy protection is precisely where the online privacy furor began: the Internet browser. Both Netscape and Microsoft, which make the leading browsers, designed their early versions to accept cookies by default, requiring consumers who want more privacy to change software settings -- something most of them dread.

Browser companies have tried to placate consumers who dislike cookies while serving the Internet companies that depend on cookies. Netscape (which is now part of AOL Time Warner) and Microsoft have taken different approaches to building privacy protection into their product designs.

Michael Wallent, the head of the Internet Explorer design team at Microsoft, said early cookie control tools were aimed at knowledgeable users: ''Geeks tend to love knobs; they love to twiddle.'' But as the Internet population grew to more closely resemble the population at large, he said, software had to become more twiddle-free. Those efforts culminated last week in the arrival of a new technology, known as P3P, appearing in the company's next-generation browser, Internet Explorer 6, that promises to make privacy protection automatic. (The software can be downloaded at http://www.microsoft.com/windows/ie/, and will be included with the company's Windows XP operating system, due in October.)

Microsoft did not create the technology, whose full name is the Platform for Privacy Preferences Project; it grew out of efforts in the mid-1990's within a group that develops standards for the Web, the World Wide Web Consortium, to create a set of tools to help Internet users automatically block sites with offensive content.

The group created what is, essentially, a language for computers to talk to each other about privacy without requiring the user to intervene. The user enters preferences for privacy protection, such as whether personal information can be shared with third parties, into the browser one time; the P3P software can detect and compare those standards with the policies on each site and warn the user if they are in conflict. And for the first time, Microsoft has set its software to automatically reject some cookies: unless the user changes the settings, Explorer will reject cookies coming from third-party sites like advertising networks if those sites do not have a mechanism that lets visitors opt out of data collection.

Lorrie Faith Cranor, a scientist at AT&T Labs who heads the P3P project, said that Microsoft's decision to use the technology was a much-needed boost: ''It said to a lot of companies, 'Yes, this is real.' '' Now thousands of online sites are developing P3P versions of their privacy policies so that they will be ready when Internet Explorer 6 reaches the market.

Still Microsoft's version of P3P lacks the broad range and fine-tuning that Ms. Cranor's version of P3P contains, privacy advocates say. ''Even with its flaws it's good that they're doing it,'' Ms. Cranor said. ''It's just important that we not stop there.''

Netscape's share of the browser market has dropped to 13 percent since Microsoft weighed in. But it, too, is trying to develop more robust privacy tools for its customers, said the director of marketing for Navigator, Sol Goldfarb.

Netscape's approach is to continue to put a large number of options directly in the hands of consumers: ''We saw the value in the finer-grained controls and wanted to put that power into the user's hands,'' Mr. Goldfarb said. As for P3P, he said, it is ''a technology that doesn't yet have critical mass.''

Despite the Microsoft decision, however, some industry analysts and privacy advocates take a dim view of P3P's prospects, because users will still have to figure out how to use it and won't bother. Arabella Hallawell, an analyst with Gartner Inc., said her company ''doesn't believe that P3P is going to make a significant difference.''